Oracle Critical Patch Update April 2013

Oracle published two critical security updates today. First, a new version of Java has been released that addresses 42 distinct vulnerabilities, with 19 having the highest possible CVSS score of “10” allowing an attacker to take full control of the machine. This update also addresses the vulnerabilities found during the PWN2OWN competition at CanSecWest in Vancouver in March, where Java was exploited by three different security researchers. Oracle also changed the alerts that come up when one runs a Java applet, introducing distinct states giving overall more information on the nature of the applet. The new versions are update 21 for Java v7 and update 45 for Java v6.

Also today, the Oracle Critical Patch Update (CPU) came out that addresses all other Oracle products. Overall, the April 2013 CPU fixes over 120 vulnerabilities in 13 product groups. An accurate map of installed software will be crucial in applying these patches due to the large number of products covered. We recommend starting with Internet exposed services first, and then moving by the CVSS scores attached to the vulnerability.

Here’s an overview of this large update:

The Oracle RDBMS product has four updates with the highest CVSS score of 10. Organizations should place a high priority on mapping out whether they have exposed Oracle databases, and patch accordingly.

Oracle’s MySQL database has 25 vulnerabilities addressed, with a maximum CVSS score of 6.9, a mid level score that will give IT admins more time to react.

Oracle’s Fusion product group has 29 vulnerabilities addressed, with a top score of 10. Patch as quickly as possible. One of the vulnerabilities is in the Oracle Outside-In product, which is used by Microsoft Exchange server. It is scored at “6.8”, which means we will see an Exchange update in the near future.

Oracle Solaris is affected by 16 flaws with a top score of “6.4”, with two vulnerabilities remotely exploitable. IT admins should focus first on these two vulnerabilities in their patch priority list.

In addition to Oracle, Apple also published two security updates. The first one addresses Java 6 which Apple maintains on Mac OS X, and the second one addresses a vulnerability in Webkit, the HTML rendering engine in Safari. The Webkit vulnerability was also orginally found in the PWN2OWN competition, but in this case in Google’s Chrome browser. Google fixed the vulnerability last month, the day after it was handed to them by the organizers of the competition.